arXiv: 1501.03028v2 [cs.LO] 3 Nov 2015 


Knowledge in Communication Networks 

Pavel G. Naumov* Jia Tao* 

November 5, 2015 


Abstract 

The article investigates epistemic properties of information flow under 
communication protocols with a given topological structure of the commu¬ 
nication network. The main result is a sound and complete logical system 
that describes all such properties. The system consists of a variation of 
the multi-agent epistemic logic S5 extended by a new network-specific 
Gateway axiom. 


1 Introduction 

In this article we study epistemic properties of communication protocols. Con¬ 
sider, for example, a protocol V\ between agents p, g, u, and v. Under this 
protocol, agent p communicates to agent q a message over a secure commu¬ 
nication channel m. Next, agent q must communicate the same message over 
insecure channels to agent u. To achieve this, agent q chooses a random one¬ 
time encryption pad (“key”) and computes a ciphertext as a bit-wise sum of the 
message and the key modulo 2. Agent q then sends the key and the ciphertext 
to agent u over insecure channels k and c accordingly. Finally, agent u, upon re¬ 
ceiving the key and the ciphertext, computes a bit-wise sum of these two strings 
modulo 2 and communicates the result over a secure channel in' to agent v. 


o 

p 


m=01001 


k=11001 

Q C m '= 01001 o 

q c=10000 u v 


Figure 1: Run ri of protocol V\. 


A run of a protocol is an assignment of values to all communication channels 
that satisfy the restrictions imposed by the protocol. An example of a run ri 
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of protocol Vi is depicted in Figure [l] Note that for any run satisfying the 
restrictions of Vi, the value of channel m is the same as the value of channel 
m!. Thus, any outside observer who can eavesdrop on channel m under run r\ 
would be able to learn that channel m! has a value of 01001 on this run. Using 
epistemic modal logic notation^] we write this as 

ri lb □ m (m / = 01001). 

At the same time, since there is no connection between the values of the 
ciphertext c and the original message m, an external observer eavesdropping on 
channel c would not be able to deduce the value of channel m!\ 


r\ II—'□ c (to' = 01001). 


( 1 ) 


Similarly, 

r\ II—= 01001). (2) 

We now consider a variation of protocol V\ that we call "P 2 . Under the 
second protocol agents q and u are allowed to make a mistake in at most one bit 
during the encryption and the decryption stages respectively. In other words, 
the Hamming distance between the value of channel c and the bit-wise sum 
of values of channels m and k is no more than one. Similarly, the Hamming 
distance between the value of channel m' and the bit-wise sum of values of 
channels c and k is no more than one. An example of a run r 2 of protocol V 2 is 
depicted on Figure [2] 


a 


m=01001 


k=11001 

o C m " 11101 —o 

c=10100 


Figure 2: Run r 2 of protocol "P 2 . 


Note that run r\ is also a valid run of protocol V 2 - Thus, an external observer 
eavesdropping on channel m on run r 2 is not able to distinguish run r 2 from 
run r-\. Hence, such an observer would not be able to conclude that the value 
of m! is 11101. Therefore, under protocol "P 2 , 

r 2 II —1 □ TO (m / = 11101). 

At the same time, an external observer eavesdropping on channel m on run r 2 
of protocol V 2 should be able to conclude that the value of channel m' is not 
OHIO because the Hamming distance between 01001 and OHIO is three and, 

1 Similarly to Kane and Naumov [l], we interpret modality D m as “any outside observer 
who can eavesdrop on channel m knows that ... ”, instead of more traditional “agent m knows 
that ...” [2] ■ 
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according to the restrictions of protocol V 2 , errors could be introduced in at 
most two bits during the encryption and the decryption stages combined: 

r 2 lb □ m (mV 01110 ). 

We now consider another variation of protocol V\ that we call V3, see Fig- 
ure[3| The original message m in this protocol is first encrypted into a cyphertext 
c using a key k , then it is recovered as m', then again encrypted and recovered 
as m". A single bit-error could be introduced by each encryption and decryp¬ 
tion stage. Thus, the Hamming distance between strings m and m" could be at 
most four. Figure [3] shows a possible run r 3 of this protocol. 
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m=01001 


k=11001 

< X » 

q c=10100 u 


m'=11101 


k'=11011 
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V c'=00111 S 
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Figure 3: Run r 3 of protocol V3. 


An external observer eavesdropping on channel m on run r 3 under V3 would 
not be able to know the exact value of m!. However, it would know that the 
value of channel m! is at a Hamming distance no more than two from the value 
of m. Note that the Hamming distance between the value of m and the string 
10110 is five. Thus, due to the triangle inequality, the observer would be able 
to conclude that the Hamming distance between the value of m! and the string 
10110 is at least three. Based on this, the observer would be able to conclude 
that any other observer eavesdropping on channel m! should know that the value 
of m" is not equal to 10110: 

r 3 lb O m O m '(rn" 7 - 10110). 

So far we have discussed epistemic properties of individual runs. A property 
which is true on one run does not have to be true on another. For example, the 
above formula Om\3 m ' (tu" 7 b 10110 ) is not true on any run in which the value of 
channel m is 10110. However, a similar property is true on all runs of protocol 
V 3 : 

(m = 01001) -> 7 b 10110). (3) 

Another property true for all runs of protocol V3 is 

□ 00000) —5> cw {m" 7 b 00000). (4) 

Indeed, the assumption □ m /(?u 7 b 00000) tells us that an observer of channel 
m! on the current run can conclude that m 7 b 00000. Since at most two mis¬ 
takes can be introduced between channels m and rn ', we can conclude that the 
message that the observer sees on channel m! contains at least three digits of 1 . 
Therefore, for a similar reason, this observer will conclude that m" 7 b 00000. 
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A property true for all runs of one protocol does not have to be true for all 
runs of some other protocols. For example, property ([3]) is false under protocol 
where up to two bits could be corrupted during each encryption and each de¬ 
cryption stage. Property 0 is not true under a protocol where agents q and u , 
unlike agents s and t, are not allowed to make mistakes. 

In this article we study epistemic properties common to all protocols that 
have the same topological structure^] of communication networks. Consider, for 
example, property 


D m (m" ^ 00000) -> n m ' (m" + 00000). (5) 

We will see later in this article that this property is true for each protocol 
where, as in Figure [3j communication between channels m and m" happens 
only through channel m!. 

The above formula ([5| involves inequality. Neither inequality nor equality 
is a part of the language of our system. We only allow propositional symbols 
as atomic statements. An example of an epistemic property common to all 
protocols with the network topology depicted in Figure [3] expressible in our 
language is: 

dmdm" ^ ( 6 ) 

Informally, this property states that if any observer eavesdropping on channel 
m is able to deduce that any other observer eavesdropping on channel rri" can 
conclude that some property is true, then the same deduction can be made 
by any observer eavesdropping on channel m' on the same run. This property, 
as shown in Example [3j is a special case of our Gateway axiom. We prove the 
soundness of Gateway axiom with respect to a formally defined semantics in 
Section |6j 

Another, perhaps surprising, example of a property common to all protocols 
with the network topology depicted in Figure [3] is: 

Dm' V t O m 'O m <p V (7) 

Generally speaking, the knowledge of a disjunction of two formulas does not 
imply the knowledge of either of the two disjuncts. The above formula, however, 
states that this is true when the disjunct talks about the knowledge of observers 
located on different sides of channel m!. In Section [5j we prove a more general 
form of property |7|. 

An epistemic logic for reasoning about communication graphs was proposed 
by Pacuit and Parikh [3j. Their language consists of two different modalities: 
an epistemic modality K a labeled by an agent a and a modality □ interpreted 
as “after any sequence of communications under the given protocol it is true 
that”. They discussed logical principles specific to a given network topology 
and even gave, in the introduction, a principle similar to our Gateway axiom. 

2 As we formally define in the next section, the topological structure of a communication 
network is an undirected graph with multiple edges. 
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However, they did not provide a complete axiomatization of their logical system 
for a specific topology, even though they proved its decidability. 

Kane and Naumov [T] proposed a similar logical system whose language 
contains only epistemic modality. They eliminated modality “after any sequence 
of communications” by assuming that all statements refer to the final knowledge 
after the communication. In this simplified setting they have been able to prove 
completeness theorem, but only for the case of linear communication networks. 

This article extends Kane and Naumov’s work from linear communication 
chains to arbitrary connected graphs. The logical system introduced in l[T| 
contained two principles capturing topology of linear communication chains: 
Gateway axiom and Disjunction axiom, similar to properties § and 0 above. 
The more general version of Gateway axiom described in the current article no 
longer requires Disjunction property as a separate axiom. Instead, we prove 
this property from the more general version of Gateway axiom in Lemma [2] 
More importantly, the proof of the completeness theorem for non-linear graphs 
is completely different from the proof of completeness for linear communication 
chains. In the case of the proof of completeness for linear communication chains, 
if an observer of channel to knows certain information about channel to', then 
it is enough to simply pass this information along the interval between channels 
to and Tii!. However, the same technique does not apply to non-linear graphs. 
As we have demonstrated with protocol V± and properties 0 and 0 , in non¬ 
linear graphs an observer of channel to might know certain information about 
channel m! without anyone between them knowing this information. To be able 
to prove completeness for non-linear graphs we introduce a new network flow 
construction described in Section [3 

An applied value of the result in this article is in providing a uniform protocol 
design procedure for communication networks. Namely, suppose that one needs 
to design a protocol for a network that satisfies security conditions ip\,..., ip n 
expressed in our modal language. Assume additionally that the physical layout 
(topological structure) of the network is given and can not be changed. In 
such a setting, the protocol designer should be able to either (i) derive formula 
f\i<n ~> -L in our logical system and, thus, prove that the specification of 
the protocol can not be met, or (ii) use the construction from our proof of 
completeness to produce a protocol that satisfies each of the desired conditions 

Wi' • • 5 'pn- 

Tao, Slutzki, and Honavar UJ introduced a conceptual logical framework for 
answering queries without revealing secrecy to multiple querying agents where 
there is a set of secrets that need to be protected against each of these agents. 
The communication between agents is modeled using a graph. The focus of 
their work is on a privacy-preserving algorithm, not on an axiomatic system. 

This article is also related to the works on information flow on graphs [3 
isi o ei nn], that study properties of nondeducibility, functional dependency, 
common knowledge, and fault tolerance predicates. Unlike those works, this 
article is using a modal language. 

The article is organized as follows. Section [2] introduces relevant terminology 
from graph theory. Section [3] defines the formal syntax and the semantics for 
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our logical system, which is introduced in Section [4] Section [5] illustrates our 
logical system by giving several examples of formal proofs in this system. Some 
of these examples are used later in the proof of completeness. The soundness 
of the system is established in Section [6] The rest of the article is dedicated 
to the proof of completeness in Section [7] The proof starts with an informal 
discussion of a network flow protocol. It continues to formalize the network 
flow protocol as a canonical communication protocol over the graph. Finally, 
multiple instances of the canonical protocol are aggregated together to show the 
completeness of the logical system. Section [8] concludes the article. 


2 Graph Theory Preliminaries 

We study epistemic properties common to all protocols with the same topology 
of a channel network. Under such a protocol, multiple messages can be sent 
over the same channel. A value of a channel is the set of all messages communi¬ 
cated through the channel, possibly in both directions. We specify the network 
topology as an undirected graph in which vertices represent agents and edges 
represent communication channels between agents. In this section we introduce 
graph terminology used throughout the rest of the article. 

Graph (V. E ) contains a set of vertices V and a set of edges E with an 
incidence relation between them. We allow loops and multiple edges between 
the same pair of vertices. We write e £ Edge{v o, V\) to state that edge e £ E is 
one of (possibly multiple) edges between vertices Vq £ V and v\ £ V. By Inc(v) 
we denote the set of all edges incident to vertex v £ V. By Inc{e) we denote the 
set consisting of the two ends of edge e £ E. For example, Inc(q) = {m,k,c} 
and Inc(k) = {q, u} in Figure [3j 

Let e £ E be an edge of a graph (V, E) incident to a vertex v £ V. If edge 
e is removed from the graph, remaining graph (V. E \ {e}) might have up to 
two connected components. By CH e we denote the connected component of the 
graph (V, E \ {e}) that contains vertex v. Note that in some cases component 
Cf e might be equal to the entire graph (V,E \ {e}). For the graph in Figure [3j 
component Cf m , consists of vertices p , q , and u as well as edges m, k, and c. 
For the same graph, component C“ fc contains all vertices of the original graph 
and all edges of that graph except for edge k. 

A path is a sequence eo, v\, e \,..., Vk, e*, such that k > 0, eo,..., e*, are dis¬ 
tinct edges, and V \,..., vk are distinct vertices of the graph such that e*, e^+i £ 
Inc(vi- (_i) for each 0 < i < k. In Figure |3j sequence k,u,m',v,c' and one- 
element sequence c are both examples of paths. A circular path is defined 
similarly except for edges eo and e& being the same. 

Definition 1 Edge g is a gateway between sets of edges A and B of a graph 
if each path that starts with an edge in set A and ends with an edge in set B 
contains the edge g. 

For example, edge m' is a gateway between sets of edges {m, k} and {k', c'} in 
Figure [3j Note that in the above definition edge g can belong to either or both 
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of the sets A and B. In Figure [3j edge k is a gateway between singleton set {fc} 
and set {m, m 


3 Syntax and Semantics 

In this section we define the language and the formal semantics of our logical 
system. These definitions presuppose a fixed signature of the communication 
network. 

Definition 2 A signature Sig is an arbitrary triple Sig = (V,E,{P e } ee E), 
such that (V,E) is a connected graph and {P e } eG E is a family of disjoint sets 
of propositions. 

Informally, propositions in set P e are atomic statements about values of the 
communication channel e. 

Different connected components of a disconnected graph can not exchange 
any information between them, so, for the sake of simplicity, we have chosen to 
restrict our system to connected graphs. 

We next define the language of our logical system. 

Definition 3 For every signature Sig, let &(Sig) be the minimal set of formulas 
such that 

1- -L e &(Sig), 

2. P e C <&(Sig) for every e £ E, 

3. if p,if G ®(Sig), then ip —» if £ &(Sig), 

4- if e £ E and ip £ <f>(Sig), then D e p £ <&( Sig ). 

We assume that connectives A, and V are defined through — ► and J_ in the 
usual way. 

Informally, a protocol is specified by giving a range of value^jfor each edge 
(“communication channel”) and establishing dependencies between the values 
of the edges. These dependencies are “enforced” by vertices (“agents”), and, 
thus, each such condition only involves edges incident to a vertex. For this 
reason we refer to these conditions as “local”. For example, for protocol V\ in 
the introduction, the local condition enforced by vertex q is c = m ® k, where 
m©fc is a bit-wise exclusive or of binary strings transmitted over channels m and 
k. For protocols V 2 and Vs, the local condition at vertex q is h(c,m® k) < 1, 
where /i(-, •) denotes the Hamming distance between any two binary strings of 
the same length. The local condition for vertex p under all three of the above 
protocols is the constant true. In the formal definition below, a local condition 

3 Each value represents the collection of all messages sent through the channel on a given 
run. 
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is treated not as a Boolean function but rather as a set of tuples on which this 
function is true. 

Recall that each atomic proposition p in set P e is viewed as proposition 
“about” the value of channel e. In what follows, by n (p) we informally mean 
the set of all values of channel e for which proposition p is true. 

Definition 4 A protocol over a signature (V,E,{P e } eG E) is a tuple ({W e } e& E, 
{L v } v, 7r) such that 

1. for every edge e £ E, set W e is an arbitrary set of values, 

2. for every v € V, set L v C FI eelnc(v) W e specifies local conditions at vertex 
v, 

3. for every p £ P e , function tt is such that 7 r(p) C W e . We denote tt( p) by 

p*. 

Definition 5 A run of a protocol {{W e } e& E, {L V } V £ v , 7r) is an arbitrary tuple 
(w e ) e&E £ TLe-E w e such that (u>e)e& I nc(v) € L v for every V £ V. 

Definition 6 For any two tuples r = ( w e ) e ^E and r' — ( w' e ) ee E and any f £ E, 
we write r =/ r' if w / = w'f . 

Corollary 1 Relation r = e r' is an equivalence relation. Kl 


The formal semantics of our logical system is defined in terms of runs of a 
protocol, rather than in more common terms of epistemic worlds of a Kripke 
model. Note, however, that any protocol can be viewed as a Kripke model in 
which runs of the protocol are epistemic worlds and equality of runs on a given 
channel c is the indistinguishability relation ~ c on epistemic worlds. 

Definition 7 For every signature Sig = (V, E, {P e } e& E), every p £ $(Sig), 
every protocol V = ({W e } eG E, tO over graph (V,E), and every run 

r = ( w e ) e( zE ofV, relation r lb tp is defined recursively as: 

1. r lb _L, 

2. r lb p if w e £/, where p £ P e , 

3. r lb if> x if r lb ip or r lb 

4. r lb Ue'ip if r' lb ip for every run r' ofV such that r' = e r. 

For any signature Sig and any set of edges T, by §(Sig, T) we mean the set 
of all formulas in Q(Sig) in which all outermost modalities are labeled only by 
edges in T and all atomic propositions outside of scopes of all modalities belong 
to U teT Pt- For example, a a ObP —> n c 4> G $(Sig, {a, c}). Also, if p £ P a and 
q £ Pb , then UbP —> q £ ®(Sig, { 6 }). We use this notation to state our Gateway 
axiom in the next section. Below is the formal definition of this notation. 



Definition 8 For every signature Sig = (V. E. {P e } eg £) and every T C E, let 
&(Sig,T) be the minimal set of formulas such that 

1. J_ € Q(Sig, T), 

2. P t C 3>(Sig,T) for every t £T, 

3. if p,if € ^(Sig, T), then p —»• if € ^{Sig,T), 

f. if t £ T and p £ $(Szg), then Ot.p € $(Sig,T). 

Note that in item 4 above, formula p is an element of set Q(Sig) rather than 
set &(Sig,T). 

4 Logical System 

In this section we specify the axioms and the inference rules of our logical system 
for a given signature Sig = (V. E , {P e } eg £;). Our logical system, in addition to 
propositional tautologies in language $>(Sig), contains the following axioms: 

1. Truth: O e p —> p, where p £ &(Sig), 

2. Positive Introspection: a e p —» O e O e p, where p £ 4>(Sig), 

3. Negative Introspection: ->D e p —> □ e ~<OeP, where p £ *1 >(Sig), 

4. Distributivity: U e {p —» if) —i > {u e p —> □eV’); where p,if £ $(Sig), 

5. Gateway: U e (p —> ip) —> (p —> U g if), where e £ A, p £ <&(Sig,A), 
tf £ $(Sig, B ), and edge g is a gateway between sets of edges ACE and 
BCE. 

Note that axioms of Truth, Positive Introspection, Negative Introspection, and 
Distributivity are identical to the corresponding axioms of multi-agent epistemic 
logic S5. Thus, our logical system can be viewed as an extension of S5 by 
Gateway axiom. 



Figure 4: Edge g is a gateway between sets of edges A and B. 


Figure [4] illustrates the setting for Gateway axiom. To explain the intuition 
behind Gateway axiom, let us first consider the special case of this axiom when 
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formula <p is a propositional tautology. In this case, Gateway axiom can be 
reduced to D e il> —i □ g V’i which means that if an agent eavesdropping on channel 
e knows something about the channels in set B , then an agent eavesdropping on 
gateway channel g must also know this. Intuitively, this claim is true because the 
information about channels in set B can only reach the observer of channel e by 
flowing through the gateway channel g. However, to the best of our knowledge, 
Gateway axiom in this reduced form n e ip —> n g ip does not yield a complete 
logical system. To achieve the completeness, we need a slightly more general 
principle that takes into account the “local” information about channels on the 
same side of the gateway as channel e. In Gateway axiom n e {p —> i/j) —> (ip —► 
Ogip) the local information is captured by formula <p. 

We write bsj g ip if formula ip is provable in our logical system for signature 
Sig using Modus Ponens and Necessitation inference rules: 

<P, p 

where p, if £ &(Sig) and e £ E. We write X \~sig f if formula p is provable 
in our logical system from the set of assumptions X using only Modus Ponens 
rule. We omit subscript Sig when its value is clear from the context. 


5 Examples 

The soundness and the completeness of our logical system will be established in 
the next two sections. In this section we give several examples of formal proofs 
in this system. Among these examples there are several lemmas that will be 
used later in the proof of completeness. 


o- 5 -o--—o- 5 -o 

Figure 5: Three-Channel Linear Communication Network. 


Example 1 For any signature Sig = (V, E, {P e } e ^E) and any ip £ <1 ’(Sig) 
where (V,E) is the graph depicted in Figure [5| 

Sig V D c^P) t Ob^P- 

In other words, if an observer eavesdropping on channel a knows that an observer 
eavesdropping on channel b knows <p or an observer eavesdropping on channel c 
knows ip, then the observer eavesdropping on channel b must know <p. 

Proof. Formula U c p —i p is an instance of Truth axiom. Thus, by Necessitation 
inference rule, b □b(n c ¥ J —► p)- Hence, by Distributivity axiom and Modus 
Ponens inference rule, 

I- UbU c tp -> Ub<P- (8) 
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At the same time note that edge b is a gateway between sets {a, b} and {c}. 
Additionally, ->□(,</> £ $(Sig, {a, b}) and U c p £ $(Sig, {c}). Thus, by Gateway 
axiom, b □ a (- | D6V 5 DcV 3 ) — > (—~t □fedc^)- Hence, using statement (|8j) 
and the laws of propositional logic, b □ a (->D b </? —> U c ip) —> (-'□ b <p —t □{ ,<p). 
Note that formula (~^UbP —)• Ubp) -» Db<p is a propositional tautology. Thus, 
b □ a (-.n b </3 —» □ c <p) —> Ob^f- Finally, recall that disjunction UbP V UbP is an 
abbreviation for ->UbP> —> Ub<p- Therefore, b n a (Ub<p V U c p>) — > □bV 5 - ® 


o- 5 -o--—o- 5 -o--—o- 5 —o 

Figure 6: Five-Channel Linear Communication Network. 


In what follows, we denote by T the propositional tautology _L — > _L. 

Example 2 For any signature Sig = (F, E, {P e } e ^E) and any p £ <fr(Sig) 
where (V,E) is the graph depicted in Figure [fi| 

Sig OaO e L3cP t \3bOdP- 

Proof. By Truth axiom, b O c <p —t y>. Thus, b □d(n c </ 5 —•► P) by Necessitation 
inference rule. Hence, by Distributivity axiom and Modus Ponens rule, 

b UdU c v -+ U d p- (9) 

At the same time, formula D c <p — > (T —► □ c ip) is a propositional tautology. 
Thus, by Necessitation rule, b □ e (m c <p —>• (T —> □cb’))- By Distributivity axiom 
and Modus Ponens inference rule, 


b n e n c <p —> o e (T —> n c p). 


( 10 ) 


Similarly, one can show that 

b naDdb 5 —*■ Da(T —> UdP)- 


( 11 ) 


Since edge d is a gateway between the sets of edges {e} and {c}, T e $(Sig, {e}), 
and U c <p £ $(Sig, {c}), by Gateway axiom, b n e (T —► U c <p) — > (T —> UdUcp)- 
Hence, using statement statement ( |10| and the propositional reasoning, 
b U e U c p —> UdP- Thus, by Necessitation inference rule, b □ Q (n e D c ip —> □ dp)- 
Then, by Distributivity axiom and Modus Ponens inference rule, 


b tHatHeD \cP ^ (12) 

Since edge & is a gateway between sets of edges {a} and {d}, T G $(Sig, {a}), 
and □ dP £ $(Sig, {d}), by Gateway axiom, b □ a (T —>• □ dp) —>• (T —> UbUdp)- 
Therefore, using statement ( pTTj ), statement and the propositional reason¬ 
ing, b UaUeUcP -t UbUdP- Kl 


We next prove formula ([6]) stated in Section [lj 
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Example 3 For any signature Sig = {V, E, {P e } eg £:) and any p £ <&{Sig), 
where G = (V,E) is the graph depicted in Figure 

Sig ^m^m"P y \Z\m'^m"P- 

Proof. Formula D m "P —;► (T —>• D m "p) is a propositional tautology in language 
&(Sig). Thus, by Necessitation inference rule, we have b □ m (Dm"¥> —>■ (T —>■ 
□ m " p) ). By Distributivity axiom and Modus Ponens inference rule, 

^ D m (T y (13) 

Note now that edge m! is a gateway between sets of edges {m} and {m"}. 
Also, T £ $(Sig,{m}) and U m "P £ ^{Sig,{m”}). Thus, by Gateway axiom, 
l“G □m(T —y U m "P) —y(T —y D m 'D m "P )■ Hence, using statement by the 
laws of propositional logic, be O m O m "P —y (T —y U m 'Um"P)- Therefore, again 
using propositional logic, b q U m U rn "p —y IE 

Instead of proving property (|7j) from the introduction, in Lemma [2] we prove 
a slightly more general statement that later will be used in the proof of complete¬ 
ness. The proof of Lemma [2] relies on the following auxiliary lemma. Figure [4] 
illustrates the settings of both of these lemmas. 

Lemma 1 b U e (p V if) —y (p V U g if), where edge g is a gateway between sets 
of edges A and B, e £ A, p £ &(Sig, A), and if £ &(Sig,B). 

Proof. Recall that p V if is an abbreviation for -up —y if. Thus, we need to show 
that b U e {~<p — y if) — y (-■ tp —y U g if ), which is an instance of Gateway axiom. ISI 


Lemma 2 b U g (p V if V x) ~i► {p V D g if V U g ~x), where edge g is a gateway 
between sets A and B, p £ &(Sig, {<?}), if £ $(Sig,A), and \ £ &(Sig,B). 

Proof. Note first that g is a gateway between sets A U {g} and B. Thus, by 
Lemma [T] 

b Ug{p V'i/’VxO-t^Vl/iV DflX . 

Hence, by the laws of propositional logic, 

b Ug{p v if V x) -> F V UgX V if. 

By Necessitation inference rule, 

b □ g (n g (< / 3 v if v x) -t p v m g x v if). 

By Distributivity axiom and Modus Ponens rule, 

b \3gOg{p V V’ V X) —t Ug(p V UgX V if). 

By Positive Introspection axiom, 

b D g (^V x) -> U g {p V D g xV if). (14) 
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Second, note that edge g is also a gateway between sets {g} and A. Thus, again 
by Lemma [l] 

b Ug{tp V UgX V ijj) ^ <f\/ UgX V Ugtp. 


Hence, taking into account statement (14), 


b Ug(tf V if V x) -t P V UgX V Ugt/j, 


which by the laws of propositional logic is equivalent to 


b Ug(p V if V x) -t P V Uglf V UgX- 


Next, we continue with two more auxiliary lemmas. Lemma [4] is also used 
in the proof of completeness. Lemma [3] is referred to in the proof of Lemma [3] 

Lemma 3 bp-} U e p for each p £ Q(Sig, {e}). 

Proof. Formula p —>■ p is a tautology. Thus, by Necessitation inference rule, 
b U e (p -» p)- Note that e is a gateway between sets {e} and {e}. By Gateway 
axiom, b U e (p -} p) -} (p> -} U e p )■ Therefore, b ip —}■ U e p. Kl 


Lemma 4 I/I C &(Sig, {e}) and ip € &(Sig), then X b tp implies X b □ e ip. 

Proof. Suppose that X C $(Sig, {e}) and X b tp where tp £ $(Sig), then 
there is a finite subset {ipi, V> 2 , • • •, ipn} of X such that b tp. 

Hence, by Deduction theorem for propositional logic, we have b ipi —> (-02 y 
■ ■■(ipn Hr (/?)...). By Necessitation rule, b U e (ipi -> (ip 2 —> ■ ■ ■ (ip n —}• 
</?)...)). Applying Distributivity axiom and Modus Ponens n times, we have 
□eV’ii U e ip 2 ,..., U e ip n b U e p- Hence, by Lemma 11 1pl,1p2, ■ ■ ■ ,1pn b U e tp. 
Therefore, X b U e tp- Kl 


6 Soundness 

In this section we prove the soundness of our logical system with respect to 
runs of a protocol V over a signature Sig = (V : E, { P e } eG E )■ The soundness of 
propositional tautologies and Modus Ponens inference rule is straightforward. 
Below we prove the soundness of Necessitation inference rule and of each axiom 
as a separate lemma. 

Lemma 5 (Necessitation) If e £ E and r lb tp for each run r of protocol V, 
then r lb □ e tp for each run r of protocol V. 

Proof. Let r be a run of protocol V . To show that r lb U e p , consider any run 
r' of protocol V such that r' = e r. It is sufficient to prove that r' lb tp, which is 
true due to the assumption of the lemma. E3 
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Lemma 6 (Truth) For every e £ E, every formula p £ $>(Sig), and every 
run r of protocol V, if r lb D e p, then r lb p. 

Proof. Assume that r lb U e p. Thus, by Definition [TJ r' lb p for every run r' of 
protocol V such that r' = e r. In particular, r lb ip. El 


Lemma 7 (Positive Introspection) For every e £ E, every formula p £ 
<&(Sig), and every run r of protocol V, if r lb O e p, then r lb O e £] e p. 

Proof. Assume that r lb U e p. Let r' be any run of protocol V such that r' = e r. 
We need to show that r' lb O e p. Consider any run r" of protocol V such that 
r" = e r'. We need to show that r" lb p. Indeed, r" = e r' = e r due to the choice 
of r' and r". Hence, r” lb p by the assumption r lb U e p- El 


Lemma 8 (Negative Introspection) For every e £ E, every formula p £ 
4>(Sig), and every run r of protocol V, if r II — 'U e p, then r lb U e ~^U e p- 

Proof. Assume that r II— <U e p. Then there is a run r' of protocol V such that 
r' = e r and r' lb p. Consider now any run r" of protocol V such that r" = e r. 
It is sufficient to show that r" II— <n e p, which is true because r' = e r = e r" and 
r’¥p. IEI 

The proof of the soundness of Gateway axiom relies on the following technical 
lemma. 

Lemma 9 For every set F C E, every formula p £ $>(Sig,F), and every two 
runs r and r' of protocol V, if r = e r' for all e £ F, then r lb p if and only if 
r' lb p. 

Proof. We prove this by induction on the structural complexity of formula p. 
The base case is when p is a propositional variable p £ P e for some e £ E. By 
Definition [TJ r lb p is equivalent to w e £ p 71 ’, which, due to w e = w' e , in turn is 
equivalent to w' e £ p v . The latter is equivalent to r' lb p, again by Definition [TJ 
The induction step involves the following cases: 

1. Suppose that p is of the form ~nf. By Definition [TJ r lb p is equivalent to 
r lb ip. By the induction hypothesis, r lb if is equivalent to r' lb if, which, 
by Definition [TJ is equivalent to r' II— <if. 

2. Suppose that p is of the form if —> By Definition [TJ r lb if —> % is 

equivalent to the disjunction of r lb if and r lb which is equivalent to 
the disjunction of r' lb if and r' lb x by the induction hypothesis. The 
latter is equivalent to r' lb if —¥ \ by Definition [TJ 

3. Suppose that p is of the form U e if. By Deffnition[TJ r lb U e if if and only if 
r" lb if for every r" such that r" = e r'. Since r' = e r, the latter statement 
is equivalent to r" lb if for every r" such that r" = e r' . By Definition [TJ 
the latter is equivalent to r 1 lb U e if. 
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Lemma 10 (Gateway) For every run r = (w e ) e ^E of protocol V, every gate¬ 
way g between sets of edges A and B, every a £ A, and every p £ Q(Sig,A), 
if £ &(Sig,B), if r lb n a {p —> if) and r lb p, then r lb D g if. 


Proof. Consider any run r' = ( w' e ) ee E of protocol V such that r' = g r. It 
suffices to show that r' lb if. Consider a graph C = {V,E\ {g}). Due to the 
assumption that g is a gateway A and B, graph G' consists of two connected 
components Ca and Cb such that all edges in set A belong to the component 
Ca and all edges in set B belong to the component Cb- Let r + be a tuple 
(w~f) ee E such that 


w e if e £ C A U {g}, 
w' e if e £ Cb U {.g}. 


Note that tuple r + is well defined due to the assumption that r' = g r. 


Claim 1 Tuple r + is a run of protocol V. 


Proof. We need to show that r + satisfies local conditions of protocol V at any 
vertex v £ V. If v £ Ca, then w' t f = w e for each e £ Inc{v ) by the choice 
of (w+) eGE . Hence, ( w+) eeInc = (w e ) eeInc ^ £ L v . The case v £ C B is 
similar. E 


We are ready to finish the proof of the lemma. Note that r + = a r by the 
choice of (wf) e& E and the assumption a £ A. Thus, r + lb p —> if by the 
assumption r lb n a (p —> if). At the same time, r + lb <p by Lemma[9]and the 
assumption r lb tp. Hence, r + lb if by Definition [7] Therefore, r' lb if by the 
same Lemma[9]and the assumption if £ <1 >(Sig, B). E 


7 Completeness 

In this section we prove the completeness of our logical system with respect to 
the formal semantics defined in Section [H 

In general, to prove a completeness theorem for a logical system, for any 
statement not provable in this system, one needs to describe how to construct 
a model in which this statement is false. In our case, for each formula ip not 
provable in our logical system, we construct a protocol (“Kripke model”) and 
a run (“epistemic world”) of this protocol on which formula p is not satisfied. 
This protocol will be obtained by aggregating simpler canonical protocols. Each 
canonical protocol synchronizes information known to different observers. For 
example, if an observer a knows that an observer b knows if, then one of the 
canonical protocols guarantees that observer b indeed knows if. 

The construction of such canonical protocols is based on the network flow 
protocol PH p.708]. Information flow has many properties similar to that of 
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network flow. In fact, network flow is sometimes used to communicate infor¬ 
mation. For example, the hydraulic brake system in modern cars uses the flow 
of the brake fluid to communicate a braking signal from the brake pedal to the 
wheels. In a more general setting, one can consider a closed system of water 
pipes with several faucets and several sinks. If one of the faucets is pumping 
water into the system (somebody knows formula 6), then at least one of the 
sinks must be leaking the water (forcing formula <5 to be true). We will use such 
pipe systems to communicate information between different edges of the graph. 

In this section we first informally discuss network flow protocols in more 
details. Next, we define “canonical” protocols that formalize network flow pro¬ 
tocol in the form needed for our proof of completeness. Finally, to finish the 
proof of completeness, we aggregate multiple canonical protocols into a single 
one. 

7.1 Network Flow Protocol 

Consider an example of a network of six pipes depicted in Figure [7] Assume 
that this network has two sink faucets located at edges d and /. Furthermore, 
let us assume that 

1 . water can leak from the network only through faucets on edges d and /, 

2 . water does not have to leak even if the faucet is open, and 

3. all pipes can (but do not have to) add water into the system by pumping 
it in the middle of the pipes. 

Throughout this section, atomic propositions p and q denote the statements 
“faucet on the edge d is open” and “faucet on the edge / is open”, respectively. 


, 6 „ 6 o 



Figure 7: Run r\ of a network flow protocol. 


We show the flow in the network by assigning a real number to each end 
u of each pipe e in the network. The positive number denotes the speed (volume 
per time unit) with which water is coming into the pipe through this end and 
negative number shows the speed with which water is leaving the pipe through 
that end. 
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So far, we assume that no water can be added at a vertex. Thus, the sum of 
all values at each vertex is zero. Any such valid assignment of the flow values 
to the ends of all pipes defines a run of the network flow protocol. 

An example of a run r\ is also shown on Figure [TJ On this run pipes a 
and c add water into the system, both sink faucets are open, but only edge d 
leaks water. Note that an external observer of pipe a would see that the sum 
of flow values on edge a is negative. This means that water is added into the 
system. Thus, the observer would be able to conclude that at least one of the 
sink faucets is open: n lb O a (p V q). However, this observer will not be able 
to deduce exactly which faucet is open: r i II—C a p A _ 'D a 9- Also, an external 
observer of pipe d will see that the sum of the two flow values at the ends of 
this pipe is positive and, thus, faucet on the pipe d is leaking. Hence, r± lb UdP 
and so r\ lb Dd(p V q ). 


a 


b 


c 



Figure 8: Run r 2 of a network flow protocol. 


We now argue that r± II—iDb(pV q). Indeed, any external observer of pipe b 
will not be able to distinguish run r\ from run 7~2 depicted in Figure [8] because 
they have the same flow values at both ends of pipe b. Run r 2 has a circular 
flow through pipes b and e, with both faucets being closed. Since r? lb p V q 
and the observer of pipe b can not distinguish between runs ri and r 2 , it follows 
that ri II — 'Ob(p V q). Similarly, another run could be constructed to show that 
ri lb ->□ e (p V g). 

Before continuing with the next example, let us introduce a notion of a bridge 
edge of a graph, which is related but not identical to the earlier introduced notion 
of a gateway edge between two sets of edges. 

Definition 9 An edge b is a bridge in a connected graph (V, E), if graph (V,E\ 
{6}) is not connected. 

For any given graph, by B we mean the set of all bridges of this graph. For 
example, for the graph depicted in Figure[3j set B is {m, to', m"}. 

The main difference between a gateway and a bridge is that a gateway be¬ 
tween sets is defined assuming two given sets. Bridge is a specific type of an 
edge. It’s definition does not depend on the choice of any specific sets. Further¬ 
more, a gateway does not have to be a bridge. For example, for any edges e and 
/, of an arbitrary graph, edge e is a gateway between set {e} and set {/} even 
if edge e is not a bridge. 
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The graph in Figure [ 8 ] has no bridges. As we show next, the epistemic 
properties of the network flow protocol are different for edges that are bridges 
and edges that are not bridges. Let r 3 be the run of the network flow protocol 
depicted in Figure [9j where pipe b is a bridge. Note that although no additional 
water is pumped into pipe b , an external observer of pipe b would be able to 
conclude that the faucet at edge d is open because such an observer would notice 
a right-to-left water flow on pipe b. In other words, r 3 lb DbP- 


a 6 6 c 



Figure 9: Run r 3 of a network flow protocol. 


These examples show that in order for an observer of a non-bridge edge to 
be able to deduce disjunction pV q, this edge must be pumping water into the 
system. In the case over a bridge, however, it is sufficient to have a non-zero flow 
of the bridge in either of the two directions. This distinction between bridges 
and non-bridges under the network flow protocol will lead to two different cor¬ 
responding cases in the definition of our canonical protocol (see Definition 111. 

The network flow protocol, as described above, has a peculiar property. 
Namely, since water could be pumped into the system only through edges, an 
external observer of bridge b under run r 3 will not only be able to deduce that p is 
true, but also to conclude that either an external observer of pipe c or an external 
observer of pipe / must know that pVg is true: r 3 lb □i,(D c (pV q) V D/(pV q)). 
Indeed, an external observer of pipe b would conclude that water is pumped into 
the system either at pipe c or at pipe / and, thus, either O c (p V q) or □ f(p V q ). 
To prove the completeness theorem for our logical system, we need a slightly 
more general class of flow protocols for which this property is not necessarily 
true. Namely, we allow additional water to be pumped into the system not only 
at pipes, but also at the vertices. The sink faucets, however, are still located 
only in the middle of the pipes. Under the modified network flow protocol, the 
statement r 3 lb □b(n c (p V q) V Df(p V q)) is no longer true because an external 
observer of pipe b can not distinguish run r 3 from run r 4 of the modified protocol 
depicted in Figure [lO] and because r± II — O c (pV q) and n II — C/(pV q). 


7.2 Canonical Protocols 

In this section we define canonical protocols based on the network flow con¬ 
struction informally discussed above. The canonical protocols are used later in 
the proof of completeness. Under a canonical protocol, the value of each edge 
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Figure 10: Run r 4 of a network flow protocol. 


e contains a maximal consistent subset X e of Q(Sig, {e}). Informally, set X e 
consists of all epistemic facts about an external observer of edge e that are true 
on a given run. Of course, on the same run, sets X e for different edges e must be 
correlated. For example, if set X e contains formula O e Ohtp, then set X h must 
contain formula Uh’f’- I n general, if □ e S £ X e , then formula S should be, in 
some sense, “true” on this run. We use network flow to enforce such correlations 
between sets X e for different edges e on the same run. 

A single canonical protocol is used to only enforce such a correlation for a sin¬ 
gle formula S. Thus, each formula S produces a different canonical protocol. In 
Section [7~T| we aggregate these canonical protocols into a single protocol. Note 
that in propositional logic any formula can be written in Disjunctive Normal 
Form. Any modal formula S can be shown to be equivalent to Ai<n 
where S l h £ <fr(Sig, {h}) for each i < n and each h £ E. Also note that in 
the presence of Distributivity axiom and Necessitation inference rule, formula 
□eA i<nMh£EK is provably equivalent to Ai<„ D e VheE <%■ Because of this, 
in what follows we enforce our correlation between different sets X e only for 
formulas S of the form \J heE Sh, where S E £ 3 >(Sig, {h}) for each h £ E. 

Definition 10 For any signature Sig = (V,E,{P e } ee E), let A (Sig) be the set 
of all formulas of the form V e es ^ e > w here S e £ $>(Sig, {e}) for each e £ E. 

The correlation that we intend to enforce is: for all e £ E, if n e V heE Ai £ 
X e , then there exist h £ E such that Sh £ X h . Instead of defining a single 
protocol V s under which this correlation is enforced for each e £ E, we define a 
family of protocols {V e }fce- For each subset F C E, under protocol V S F the 
correlation is enforced only for edges in F. 

The enforcement of the desired correlation under protocol V F is achieved 
by using network the flow construction described in the previous section. In¬ 
formally, each edge of the graph is viewed as a pipe. In addition to set X e , 
the value of each edge e also includes flow values over this edge. As before, 
sink faucets are placed in the middle of each edge. However, the sink faucet 
at edge h is open only if Sh £ X h . If □ e S £ X e and edge e is not a bridge, 
then e is required to “pump” water into the system. The network flow protocol 
guarantees that if water is pumped into the system, then it must leak through 
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at least one of the sinks. This implies that if n e S £ X e (“water is pumped in”), 
then Sh £ X h (“sink is leaking”) for at least one disjunct Sh in formula S. For 
the same reason, if U e S € X e and e is a bridge, then e is required to have a 
non-zero flow (in either direction). 

We now define a canonical protocol V E over a signature Sig = ( V. , E, {P e } eeE ) 
for each subset F C E and each 5 £ A (Sig), where 6 is of the form \/ eeE 5 e and 
S e £ $(Sig, {e}) for each e £ E. 

Definition 11 A value w e of an edge e £ Edge(u,u') under protocol V E is a 
tuple (X, {f v }v£inc(e )} that has the following properties: 

1. Properties common to all edges. 

(a) X is a maximal consistent subset of <&(Sig, {e}), 

(b) f u and f u > are real numbers, 

(c) f u + fu’ > 0 if and only if S e £ X. 

2. Properties of bridge edges. For each e £ B, 

(a) if 5 e i. X, then f u + f u > = 0, 

(b) if f u < 0, then D e \J heC ™ £ X, 

(c) if e £ F, n e S £ X, and 5 e X, then f u < 0 or f u > < 0. 

3. Properties of non-bridge edges. For each e £ E\B, 

(a) if f u + f u ’ < 0, then u e 5 £ X , 

(b) if e £ F, U e 5 £ X, and S e £ X, then f u + f u ' < 0. 

Valuation. Let n be a function such that, for each e £ E and p £ P e , set p n 
contains all values (X, {f v }veinc(e)) under protocol V E , where p £ X. 

We now specify local a condition L u at a vertex u under protocol V E . Under 
the network flow protocol, we allow any vertex u to pump additional water into 
the system and disallow it to leak water out of the system. This is formally 
captured by the local condition J2 e einc(u) fu — 0 - At the same time, recall that 
we use the network flow to enforce property: if D e <5 £ X e , where 5 = \J hGE Sh, 
then Sh £ X h for at least one h £ E. Note that if Sh £ X h for at least one h £ E, 
then the property is already true and no additional enforcement is necessary. 
Because of this, if Sh £ X h for at least one edge h adjacent to vertex u, then we 
allow the sum Y^eeinciu) fu to be negative. This relaxation of the local condition 
will be useful later. 

Local Conditions. Consider any tuple of values (X e , {ff} v ^i nc (e))eeinc(u) 
under protocol V E . This tuple belongs to L u when the following condition is 
satisfied: if S e ^ X e for each e £ Inc(u), then 5^ee/nc(ii) fu — 0- 

This concludes the specification of the family of protocols V E . The following 
corollary directly follows from the above definitions. 
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Corollary 2 For any run ( X e , {fu} u &inc(e))eeE of a protocol Vp and any real 
number A > 0, tuple ( X e , {A fff\ u ^inc{e)) eeE is a run of protocol Vp. E3 


Lemma 11 Let ( X e ,{fu} u einc(e))e£E be any run of a protocol Vp. If h = 
(v, v') £ F n B and 5h $. X h , then f£ = 0 if and only if Uhd ^ X h . 


Proof. (=>) : We prove by contrapositive. Suppose that € X h . Then by 
Definition [ll] part 2(c), ff < 0 or fp < 0. Hence, ff ^ 0 or fp ^ 0. Note that 
fp 7 ^ 0, by Definition [ll] part 2(a), implies that ff yf 0. Therefore, in both 
cases, fy ^ 0 . 

(<^=) : Assume that f£ 0. By Definition [lT] part 2(a), either ffi < 0 or /A < 0. 
Suppose, without loss of generality, that f£ < 0. Then, by Definition [ll] part 
2 (b), 


□h V SeG xh - 


(15) 


eeC" 


Note that \J eeC v S e —> 6 is a propositional tautology. Thus, by Necessitation 
rule, 

b D h ^ \/ Se ■ 


Hence, by Distributivity axiom and Modus Ponens rule, 


b Dh 



—t n h 6. 


Thus, X h b \3hd from statement (151 and Modus Ponens inference rule. There¬ 
fore, ClfcA £ X h due to the maximality of set X h . E3 


7.3 Properties of Canonical Protocols 

In this section we prove several technical properties of the canonical protocols 
that are used in the proof of completeness. To build the intuition, as we proceed, 
we compare these properties with those of our informal network flow model. 

Lemma 12 For any 6 £ A (Sig), if F' C F, then each run of protocol Vp is 
also a run of protocol Vp,. 


Proof. The statement of the lemma immediately follows from the definition of 
the canonical protocols Vp. Indeed, the difference between protocol Vp and 
Vp, is only in parts 2(c) and 3(b) of Definition 
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The following theorem formalizes our intuition described earlier that if there 
is an inflow of water into the system, then there must be at least one open sink 
for the water to leak. 
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Theorem 1 For any h £ E and any run (X e ,{fu}ueinc(e))eeE of protocol 
if OhS £ X h , then there is an edge h! £ E such that Sh 1 £ X h . 

Proof. Suppose that there is no h! £ E such that 5^ £ X h . Due to the local 
conditions of protocol 'P| / ,, 

E /® > 0, for each v £ V. (16) 

e£lnc(v) 

We consider the following two cases separately: 

Case I: h ^ B. The sum of flow values over edges can be rearranged to the sum 
of flow values over vertices. Thus, due to inequality 

E (/«+/. e ') = E E fv>°- (!7) 

e£Edge(u,u') v£V e£lnc(v) 



Figure 11: Towards proof of Theorem [T] Case II. 


inequality (16) 


E (fu + fu') = I E E fv I - fuo > 0 - fuo > 0. 

e£Edge(u,u')CC™® \ vEC™° e£lnc(v) 


Thus, there must exist h ' £ Edge(ui,u 2 ) £ Cffi such that + fu 2 > 0. There¬ 
fore, Sh 1 £ X h by part 1(c) of Definition 
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which is a contradiction. 


Note that in the network flow model the following property holds: if v\ is one 
of the vertices of an edge eg and the water flows through edge eg towards vertex 
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Vi, then there must exist a sink edge e*, and a path eo, V\, ei, V2, e 2 , ..., Vk, £k 
such that there is a water flow along this path in the direction from edge eo 
to edge efe. In our formal setting this property is captured by the following 
definition and lemma. 


Definition 12 For any maximal consistent set of formulas M, let Tm be the 
set of all paths eo, v±, ei,V2, e-2, • ■ •, Vk, ek, where k > 0 , such that 

1. Deo VhgC”! S h e M ’ 

~ e 0 

2. S ei (f M, for each 0 < i < k, 

3. if ei £ B, then O ei ^ V he c'’ i+1 ^ f or eac ^ ^ <i < k, 

4- 8 ek £ M. 

Lemma 13 For any edge e £ Edge(u,u'), if O e \/ heC u Sh £ M and 5 e ^ M, 
then there is a path in set Tm that starts with edge e and continues through 
vertex u. 


Proof. Let Tl be the set of all such paths eo, v\, e\, V 2 , e-i, ■ ■ ■, Vk, ek that eo = e, 
Vi = u, □ eo i5 £ M, and for each 0 < i < k, if ei £ B, then a ei (\Jhec" i+1 e 
M. 

Let Co be the set of all edges that belong to at least one path in ft. Let 
C\,, C n be the connected components of the graph obtained from component 
C“. by removing all edges in Co- By the definition of set ft, for each 0 < i < n 
there is an edge <ji in Co fl B, such that 


□ 


9i 



(18) 


Note that edge gt is the gateway between edges in Co U C\ U • • • U C*_i U Ci+\ U 
• • • U C n and Ci. See Figure p~2 



Figure 12: Components and corresponding bridges. 
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The following formula is a propositional tautology: 


V Sh 


vmv vv4 


\hec 0 


i=i heCi 


Thus, by Necessitation inference rule, 


V S h 

hec u 


b □ 

By Distributivity axiom, 

I" O e I V 5h 

\h£C u 


V ** v V V 


\h£C o 


vi=i heCi 


□ e 


V 6 h v V V *» 


\h£Co 


\i =1 heCi 


By Lemma [l] and laws of propositional logic, 


b D e V S h ) -> ( ( V 6h V V V Sh V D sA V 6h 


By Necessitation rule, 


KheCo 


\i =2 heCi 


Khec 1 


b De De V ^ ^ V 5h V V V Sh V D S1 V Sh 


K h&C -e 

By Distributivity axiom, 




\i =2 heCi 


Kh£C i 


b U e U e ( V Sh 

, hec y 


—>■ D e 


V M v (V V 6h )) v °9i ( V Sh 


\heC 0 


\i=2 heCi 


Kh£Ci 


By Positive Introspection axiom, 


b D e V Sh 


-t De 


V Sh ) v (V V 6h )) v D si ( V Sh 


,/iecy 


\h&C 0 


\i =2 heCi 




By Lemma [T] and the laws of propositional logic, 


hd. v v v v v°* v^ 


,hec u 


\h£Co 


x i—3 fteCi 


i=i VheCi 


By repeating the previous steps n — 2 more times, 


b D e V 5/1 


—► 


V ) v (V n 9* ( V ^ 


i hec u 


\hGC 0 


Xi=i \heCi 
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Since, □, 


(v 


hec u 


Sh) £ M and set M is a maximal consistent set of formulas, 


<E M. 



Due to (18) and the maximality of set M, there must exist an edge h £ Co such 


that Sh £ M. By the definition of Co, there is a path e, v\, ei, v%, e 2 , ■ ■ •, Vk, e*, 
in D containing h. Let e m be the first edge along this path such that 5 em £ M. 
Note that e m 7 ^ e because 8 e M by the assumption of the claim. Then, 
e, Vi, ei,V 2 , e?, ..., v m , e m is the required path in T. IEI 


Another property that holds for the network flow is: if water is pumped into 
an edge eo, then there must exist a sink edge and a path eo, Vi, e ±,..., Vk, e-k 
such that there is a water flow along this path in the direction from edge eo 
to edge e*;. We capture this property in the canonical protocol case by the 
following lemma. 


Lemma 14 For any edge e £ E, and any S £ A(Sig), ifn e S £ M and S e ^ M, 
then there is a path in set Tm that starts with edge e. 


Proof. Let e £ Edge(u,u'). There are two cases: 

Case I: e £ E\B. Note that e is a gateway between sets {e} and E\ {e}. Then, 
by Lemma [l] 


b O e 


SeV \/ 5h 


h£C u 


S e V D e V 


hec u 



(19) 


At the same time, component C“ e contains all edges of the graph except for 
edge e due to the assumption e £ E\B. Thus, 

<5 —>• <5 e V \J Sh 
hec? c 


is a propositional tautology. Hence, by Necessitation inference rule, 


b D e ( S ->• S e V V S h 

h£C u 


By Distributivity axiom and Modus Ponens inference rule, 


b U e S ->• D e <5 e V \/ S h 


hec u 


Using statement (19) and the laws of propositional logic, 

hn e 8 ->S e vu e V S h - 


hec y 
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Recall that U e S £ M and 5 e ^ M. Thus, O e \J he c u &h £ M, due to the 
maximahty and the consistency of set M. Then, the required follows from 
Lemma □S 

Case II: e £ B. Thus, edge e is a gateway between edges of the component C“ e 
and edges of the component C / f ,. Thus, by Lemma [5J 

( 


b D e 5 e V V S h V V -5> d e V D e \/ 4 V D e \/ ^ 

y hec™'' ) \ 

At the same time, notice that the formula 

8 —> S e V \J 5 h W \J Sh 

h £C- e fteC"' 

is a propositional tautology. Thus, by Necessitation inference rule, 

( 


I- □« 


S —> S e V \J ShV \J Sh | ■ 
y he hec yj 


(20) 


By Distributivity axiom and Modus Ponens inference rule, 


b u e s ->• n e | d e v v ^ v v ^ r 

hec™ hec u> 


Using statement (201 and the laws of propositional logic, 


b U e 8 -> 5 e V De \/ S h V D e \J S h - 
'>eC" 6 heC"' 

Recall that u e S £ M and 5 e ^ M. Thus, D e \l h ^c u ^ h e ^ or V hzc*' ^ h e 
M, due to the maximality and the consistency of set M. In either case, the 


required follows from Lemma 13 


In general, the completeness of a modal logic is often proven through a 
construction that converts a maximal consistent set of formulas into a world of 
a “canonical” model for this set of formulas. In our case, the canonical model is 
represented by protocol Vp. Instead of a Kripke world, we construct a special 
run of this protocol. The construction is done recursively for an arbitrary Vp in 
the theorem below. Informally, in term of the network flow model, the theorem 
states that for any maximal consistent set of formulas X there is a network flow 
on the graph that satisfies this set of formulas. 

Theorem 2 For every <5 G A (Sig) every F C E and every maximal consistent 
set M there is a run r = (X e , {fu} u einc(e))eeE of protocol Vp such that for 
each e £ E, we have X e = M D <fr(Sig, {e}). 
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Proof. We prove the theorem by induction on the size of set F. 
If F = 0, for each e £ E and each u £ Inc(e ), let 


f e = 

J U 


1, if 6 e £ X e , 
0, otherwise. 


Claim 2 Tuple (A' e , {/®} ug j rlc ( e )) eg £: is a run of protocol 

Proof. The claim immediately follows f rom Definition m and the definition of 
local conditions of protocol V% on page 


20 


Next, assume that F = F'U{h}. By the induction hypothesis, there is a run 
r = ( X e , {ff}u&inc(e))e&E of protocol Vp, such that X e = M n ®{Sig, {e}) for 
each e £ E. liUhS £ X h or Sh £ X h , then, by Definition 11 run r is a run of 
protocol Vp. Suppose now that £ X h and Sh ^ X h . Let A be any positive 
real number such that 

a > \r u \ 

for each e £ E and each u £ Inc(e). By the assumption £ X h and 
Lemma 14 there is a path eo, t>i, ei, t> 2 , e 2 ,..., Ufc, e* in Tm such that eg = h. 


Let Vo be the end of edge h different from V\ and let Vk+i be the end of edge e*, 
different from Vk- We next define a tuple f = (A' e , {ff} u einc{e)) e eE, for which 
we consider two cases, see Figures [13] and [l4| 



Figure 13: Definition of ff if h £ B. 


Case I: If h £ B , then for each e £ E and each u £ Jnc(e), 




{ /® + A, where e = e*, u = Vi, and 0 < i < k, 

/® — A, where e = e,, u = Vi+ 1, and 0 < i < k, 
/®, otherwise. 
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Figure 14: Definition of if h £ E \ B. 


Case II: If h £ E \ B , then for each e £ E and each u £ Inc(e), 

! /® + A, where e = e,, u = i>j, and 0 < i < fc, 
ff — A, where e = e^, u = Vi+i, and 0 < i < k, 

/®, otherwise. 

This defines tuple r. 

Claim 3 f* + f*, = /® + fu>, f° r each e € Edge{u,u') £ E \ {e 0 , e k }. 
Proof. If e = ej for some 0 < i < k, then 

l:+h = /;+/; +1 = n t + a +/: i+1 - a = /»+ r Vi+l = / u e +#. 

Otherwise, and = /«,. Thus, + /^, = /® + /*,. 


Claim 4 Tuple r is a run of protocol Vp . 



1(c) Due to Claim [ 3 ] and the assumption that r is a run of protocol Vp ,, we 
only need to verify condition 1(c) for edges eo and e k - 

We first verify this condition for edge e 0 . Note that e 0 = h. Thus, 
5 eo £ X e ° due to our assumption. Hence, /®° + /®° < 0, because run r 


satisfies condition 1(c) of Definition 11 
If eo £ B , then 


/, e n ° + q = fvn + a + r v ° - a = /»»+ r° < 0 . 
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If eo ^ B , then, since A > 0, 

fz+fz = fii+fii - x < fii+fii < o- 

In either case, we have S eo £ X e ° and /®° + < 0. Thus, condition 1(c) 

is satisfied. 

Next, we verify this condition for the edge e*. Note that 6 ek G X efc , by 
Definition 


12 


Thus, we only need to show that > 0. Indeed, 

0 because run r satisfies condition 1(c). Thus, since A > 0, 


fefc I refc _ fefc , \ , re k ^ , r, 

Jv k i ■/«*,+! -r -T Jv k -r , 


7 ^fc + 1 


> 0. 


2(a) Due to Claim [ 3 ] and the assumption that r is a run of protocol V F ,, we 
again only need to verify condition 2(a) for edges eo and e*,. 

We first verify this condition for edge eg- Note that S eo ^ X e ° by condition 


2 of Definition 12 Since run r satisfies the condition 2(c) of Definition 11 
we have /®° + /®° = 0. Hence, 


fZ + III = fZ + x + fll - x = fZ + fz = 0 . 


For edge e*, this condition is vacuously true because 5 ek G X ek due to 
condition 4 of Definition [12] 


2(b) By the definition of r, for each edge b G B \ {eo,..., e^}, and each vertex 
u G Inc(b ), we have fl = fZ Thus, r on any such edge satisfies condition 
2(b) of Definition 11 because run r does. 

We next show that condition 2(b) is satisfied for each a such that a G B 
and 0 < i < k. Indeed, consider any u G Inc(ei) and suppose that /< 0. 
If u = Vi, then, since A > 0, 


fZ = fZ = fl: - A < fz < 0. 


Thus, D ei VeeC" G X ei because run r satisfies condition 2(b) of Defi¬ 
nition m 

If u = Vi +1 and i < k, then condition 2(b) is satisfied due to condition 3 
of Definition [l2j 

Finally, if i = k and u = Vfc+i, then /= f by the definition of r. Thus, 
condition 2(b) is satisfied by run r because it is satisfied by run r. 


2(c) By the definition of r, for each edge b G B\ {e 0 ,..., e^}, and each vertex 
u G Inc(b), we have fl = fZ Thus, f on any such edge satisfies condition 
2(c) of Definition 11 because run r does. 
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We will next show that condition 2(c) is satisfied for each a such that 
e, £ B and 0 < i < k. Indeed, note that A > |/®’ | due to the choice of 
A. Thus 

fvt+i = fvl +1 — A < 0. 

Finally, note that when i = k, we have 5 ek £ X ek . Therefore, condition 
2(c) is vacuously true. 

3(a) Due to Claim [3] and the assumption that r is a run of protocol Vp,, we 
again only need to verify condition 3(a) for edges eo and e*,. 

Note that 0^5 £ X h by our assumption. Recall that eo = h. Thus, 
□ eo <5 £ X e °. Therefore, condition 3(a) is satisfied for edge e 0 . 


By condition 4 of Definition 12 S ek £ X ek . Thus, as we have shown in the 
case 1(c) above, > 0. Therefore, condition 3(a) is vacuously 

true for edge e*,. 

3(b) Due to Claim [3] and the assumption that r is a run of protocol Vp, , we 
again only need to verify condition 3(b) for edges eo and e*,. 

Note that Sh X h by our assumption. Recall that eo = h. Thus, 8 e „ ^ 
X e °. Since r is a run of protocol Vp,, by condition 1(c) of Definition [Ill 
we have /®° + /®° < 0. Hence, due to A > 0, 

fv° 0 + fvl = tt 0 ° +fv!~ a < 0 - A < 0. 

Therefore, condition 3(b) is satisfied for edge eo- By condition 4 of Def¬ 


inition 


12 


S ek £ X ek . Thus, condition 3(b) is vacuously true for edge 


To show that local conditions (see page 20) are satisfied at any vertex u £ V , it 
is sufficient to show that 

E R* E a 

e€.Inc(u ) e£/nc(u) 

Consider first the case when u = vq and eo E B. Since it has been assumed 
(see page [6]) that vertices along any path do not repeat and because A > 0, 


E fe _ 7e 0 
J Vo J Vo 

e£lnc(v o) 


+ E fvo - fv 0 + A + E fZo 

e£lnc(v 0 )\{e 0 } e€/nc(u 0 )\{e 0 } 


= E A 

e£lnc(v o) 


+ A > 


E A- 

e£zlnc(v o) 


Next, consider the case when vertex u = Vi for some 0 < i < k. Then, 

E ft i = ftr 1 +ft: + E ft, 

e£lnc(vi) e£lnc(vi)\{ei — i,ei} 

= f%- 1 - x +ft;+*+ E ft,= E ft,- 

e£lnc(vi)\{ei-i,ei} e£lnc(vi) 
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Otherwise, the sum E ee /nc(«) fu and the sum E ee /nc(«) fu are equal be¬ 
cause they consist of equal terms. S3 

This concludes the proof of Theorem [2] S3 


The previous theorem constructs a run (“epistemic world”) that matches a 
maximal consistent set M on all edges. The next theorem enhances the claim 
of the previous theorem by adding an additional condition on the run being 
constructed. Namely, if h is a given edge of the graph and r is a given run of 
the protocol, then the desired run f can be constructed not only to match set 
M on all edges, but also to satisfy the equation r =h r. The theorem assumes, 
of course, that run r itself matches set M on edge h. In terms of the network 
flow model, the theorem states that if there is a network flow that satisfies local 
properties M D $(Sig, {h}) at a given edge h, then this network flow can be 
modified to match properties in M globally (on all edges of the graph). The 
proof of the theorem below explains how the water can be re-routed through 
the graph to achieve the desired outcome. 

Theorem 3 For each h £ E, each run r = (X e , {fu} u einc(e))ecE of protocol 
V E , and each maximal consistent set M such that X h = M nd t(Sig, {/i}), there 
is a run 

?=(X e ,{fu} u£lnc(e))e£E 

of protocol V E such that 

1. X e = M n $(Sig, {e}) for each e £ E, 

2. r = h r. 

Proof. By Theorem bn there is a run r' = (Y e , {^„} u e/nc(e)) e&E of protocol V E 
such that Y e = M n Q>(Sig, {e}) for each e £ E. We will show how this run can 
be modified to obtain the desired run r, by considering several possible cases. 
Case I: if <$ h € M, then define r to be the tuple ( Y e , { fu}u£inc(e))eeE , where 

re __ ( fu i if e = h, 

“ 1 t e u . otherwise. 


Claim 5 r is a run of protocol V E and r =h r. 


Proof. We need to verify that tuple r satisfies conditions of Definition 11 and 
the local conditions of protocol V S E on page 20 

We start with the conditions of Definition 11 for an arbitrary edge e £ E. 
If e = h, then r = e r, and thus tuple r satisfies the conditions of Definition 11 


on edge e because run r does. Similarly, if e ^ h, then f = e r', and thus tuple 
r satisfies the conditions of Definition 11 on edge e because run r' does. 

We now show that tuple f vacuously satisfies local conditions of protocol V E 
at any vertex v £ V. If v (f Inc(h), then r = e r' for each e £ Inc(v). Thus, tuple 
f satisfies local conditions of protocol V E because run r' does. If v £ Inc(h), 
then tuple r vacuously satisfies local conditions of protocol V E because Sh £ M. 
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The condition r =/, r is satisfied because (i) Y h = M n &(Sig, {h}) = X h 
and (ii) for each u £ Inc(h). E 


Case II: if Sh ^ M and h £ E\B. Let h £ Edge{v o,^i). Since h ^ B, there 
is a circular path h = eo,v\,ei,V 2 , ■ ■ ■, Vk-i, ek-i,Vk, e* = h. By Definition [9j 
ei B for each 0 < i < k. We will now further split this case into two subcases: 


Subcase Ila: If £ M, then define r to be tuple ( Y e , {ff} u einc(e)}e£E, see 
Figure 15 where 


/, 


Us. 


, if e = ei, u = Vi, and 0 < i < k, 
if e = ei, u = Uj+i, and 0 < i < k, 
otherwise. 



Claim 6 jf® 

0 < i < k. 


+ fv i+1 = C, + C i+1 and fvt +1 + fvtti = C i+1 + CiXl, for each 


Proof. By condition 1(c) of Definition 11 the assumption Sh M implies that 
fv 0 + fv i — 0 and V-vo + ^vi — 0- By condition 3(a) of the same definition, the 
assumption UhS ^ M implies that ff o + /^ >0 and t* 0 + (ff 1 > 0. Thus, 
fv 0 + fa = 0 and e v 0 + = °- Therefore, 

?ei , fin pei I fh _ ph , pe t , fh _ ph pet , pe , 

JVi ' J + 1 ^Vi ' JV o ^Vq ' +1 ' Jill ' ^Vi +1 ' 


fV 0 ^Vq 

Uvo +& ) - (C +<)= *s: + 4 +1 +o - o=** 


fi+1 ’ 


and 


7e i , ?e i+ ! _ *ei , fh _ ph , «e i+ i , fh _ ph _ p ei , «« 


i+i _|_ 

Vi+1 ' 


" ^l+l ^2+1 ^1 ^1 ^2+1 " ^0 ^2+1 ^2+1 

(/£ + /£) - «, + <) = Q +1 + + 0 - 0 = *S: +1 + • 
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Claim 7 r is a run of protocol V E and r =h r. 


Proof. We need to verify that the tuple r satisfies the conditions of Definition 11 
and the local conditions of protocol V E on p age[2C)} 

We start with the conditions of Definition |11| for an arbitrary edge e £ E. If 
e = Ci for some 0 < i < k, then, due to the path being circular, e ^ B. Thus, all 
applicable conditions from Definition [ll] are satisfied for tuple r because they 
are satisfied for run r' and due to the equality +/®* = +^\ established 
in Claim [d] If e ^ Ci for all 0 < i < k, then the required is true because r = e r'. 

We now show that tuple r satisfies local conditions of protocol V E at any 
vertex v £ V. If v = Wj+i for some 0 < i < k, then /®* + fvlfl = ' ^ e,+1 


by Claim 


^ Thus, X] 


e£lnc(vi- |_i) 


0 < i < k, then r = e r' for all e 


+ 1 ' J + 1 ~Vi+ 1 ' ^ v i+ 1 

fv i+1 = Ee e /nc(„ i+1 )^ i+1 - If v ± «i+l for a11 
£ Inc(v). In either of these two cases, tuple 
<5 », ^ y because run r' 


r satisfies the local conditions of protocol V E at vertex v £ 
satisfies these conditions. 

Condition r = h r is satisfied because (i) Y h = Mfl $(Sig, {/i}) = X h , (ii) 


fh __ ph 
Jv 0 t 'l>o 


+ fvo -it = fvo> and (iii) 


h = 


+ f h - P h = f 
" J V 1 J 1 


f h 

I Vi 



m-O+rto 

A£f,, 


if e = e,, u = Vi, and 0 < i < k, 
if e = e,, u = Vi+\, and 0 <i<k, 
otherwise. 



+ £ h )-f h 

1 *"Vn / J Vi 
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Claim 8 fh + = A {t%\ + 1%\ ) and + ^i 1 = A(C i+1 + / or 


eac/i 0 < i < k. 

Proof. 


fvi + fvi +1 = m - o+ft+m i+1 + <) - ft = m +q +1 )- 

Similarly, 

Tvi +1 +k::i = A(c i+1 +o - ft + A (^:i - O+ft = A (c i+1 +^)- 


Claim 9 r is a run of protocol V E and r =h r. 


Proof. We need to verify that tuple r satisfies the conditions of Definition |11 
and the local conditions of protocol V E on page 


20 


We start with the conditions of Definition m for an arbitrary edge e £ E. 
If e = ej for some 0 < i < k, then e ^ B since the path is circular. Thus, all 


applicable conditions from Definition 11 are satisfied for tuple r because they are 
satisfied for run r' and due to A > 0 and the equality + /®* = \{Z%\ ) 

established in Claim [8] If e ^ e* for all 0 < i < k, then the required is true 
because run r' satisfies the conditions from Definition [II] and /® = e \l e u for each 
u £ Inc(e ), where A > 0. 

We now show that tuple r satisfies the local conditions of protocol V S E at any 
vertex v £ V. If y = v i+ i for some 0 < i < k, then /®* +i l = A(f!®* +1 
by Claim Q Thus, J2eeinc(v i+1 ) fv i+1 = A Eceinc(v i+1 ) *5 i+1 - If ^ v *+i for a11 
0 < ?' < fe, then ff = \Z e v for all e £ Inc{v). In either of these two cases, tuple 
r satisfies the local conditions of protocol V E at vertex v £ V because run r' 
satisfies these conditions and A > 0. 

The condition r =h r is satished because Y h = M n $(Sig 7 {h}) = X h , 


ft = A K O + ft = 0 + ft = ft . 


and 


& = A« 


ph 

C v 0 


rh I ftl 

_ ph _ J vp J Vi /ph | ph \ _ ph _ ph _i_ ph _ ph _ ph 

Jvn — nh i flh Jvn—Jvn'Jv 1 Jvr) — Jv i 


ph 

Vo 




Case III: If 5 h ^ M and h £ B. Let h £ Edge(v 0 , iq). There are three subcases: 


Subcase Ilia: If f,^ ■ Cf = 0, then 
□ ^ X h . Thus, again by Lemma [ll[ fff = 0 

Furthermore, Y h = M D $(Sig 7 {/i}j = X h . Hence, r =h r'. Let r = r'. 


— 0 or = 0. Hence, by Lemma 

h - n ft = 4 = 0 ° h 


11 


and =0. 
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Subcase Illb: If /,(( ■ > 0, then define r to be tuple 


(Y^ii&KKheinc^eeE. 

By Corollary [ 2 ] and the fact that r' is a run of protocol V S E , tuple r is a run of 
protocol V E . Since Y h = M n ®(Sig, {h}) = X h , to show that r =h r, it is 
sufficient to show that (/£/C,)C, = /£ and (/V/CjCn = f* 


fv 0 . The former 

is an algebraic identity, the later follows from the equalities f£ n + /£ = 0 and 

ph 
Vo 


C 0 + Ci = 0’ which, in turn, follows from condition 2(a) of Definition 11 


Subcase IIIc: If /„ • C < 0, then /c V 0. By Definition 11 part 2(a), it 


follows that either /,(( < 0 or < 0. We consider the former case, the later 

one is similar. If /,(( < 0, then VeeC” 1 C € X h by Definition |llj part 2(b). 

Hence, Uh VeeC” 1 £ M. Thus, Oh VeeC” 1 C £ Y h . By Lemma |13| there is a 
path eo,Vi,ei,V 2 , ■ ■ ■ ,Vk,ek in Tm such that h = e 0 . Let A be any positive real 
number such that 

A > ICI 

for each e £ E and each u £ Inc(e). Also, let g = /V /(C + A). Recall that 
/,(( < 0. Thus, f[’: Q > 0 by condition 2(a) of Definition fir] Additionally, note 
that A > |C 0 |- Thus, g > 0. 

Define f to be tuple (F e , {/3„ £ ; nc(e) )eeJ3, see Figure Fm where 


/VC + A), if e = ei, u = Vi, and 0 < i < k, 

fu=\ /VC — A), if e = ei, u = Vi + 1 , and 0 < i < k, 

gl^, otherwise. 


( 21 ) 



Figure 17: Subcase IIIc, the last vertex of the path, not named in the text, is 
denoted by Vk+i on this figure. 


Claim 10 /® + /®, = /VC + C')> f or eac h ec ^9 e e £ Edge(u , u r ) £ E \ {efc}. 
Proof. If e = ei for some 0 < * < k, then 

m + h + , =mc:+a)+/ vc: +1 - a) = mc-+ c: +1 )- 

If e V ei for all 0 < i < k, then f* + f* = /<C + gl e u , = /VC + CO- 
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Claim 11 Ee£lnc(u) fu > ME e£lnc(u) ie u for each vertex u £ V. 
Proof. If u yf Vi for all 0 < * < fc, then 

££=£< = #*£ 

e(zlnc(u ) e£lnc(u ) eElnc(u) 


If u = Uj + i for some 0 < i < k, then 

E fe _ T ei + 7e i+1 + 

Ju J Vi + I 1 j Vi- 1-1 1 


E 


eG/nc(n) 


f G 

Jvi+1 

eelnc(v i+1 )\{ei,e i+ i} 

m(^- + 1 —a)+mq+j+a) + e 


m(^: +1 +^ + 


^ i+1 



e£/nc(vi+i)\{ei,ei+i} 


= M £ ft„- 

eG/nc( , Ui_|_i) 

Finally, if u = vq, then, since A > 0 and /i > 0, 


V f e = f 

e£lnc(u) 


£ ft 

ee/nc(u 0 )\{eo} 

+ A) + E /^t> 


ee/nc(D 0 )\{e 0 } 


> 


m I c + E ^) +^a 

\ ee/nc(uo)\{e 0 } 

f 4 E ^+^a 

e£lnc(v o) 

C £ ft- 

e£lnc(v o) 


The last inequality is true because A > 0 and // > 0. 


Claim 12 r is a run of protocol V E and r =h r. 

Proof. We need to verify that tuple r satisfies the conditions of Defmition[lI]and 
the local conditions of protocol V E on page 20 Below by Vk+i we denote the end 
of edge efc different from vertex Vk■ We start with conditions of Definition El 


1(c) Due to Claim 10 and the assumption that r' is a run of protocol V E , we 


only need to verify condition 1(c) for edge efc. Note that 5 ek £ X ek , by 
Definition 


12 


Thus, we only need to show that + fy k+1 > 0. Indeed 
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£ Bk k + > 0 because run r' satisfies condition 1(c). Since A > 0 and 

M > 0, 

fZ+ftU = MC fc +A)+^ +1 = M(^+C fc+1 )+MA > MC fc +C fc+1 ) > o. 


2(a) Due to Claim 10 and the assumption that r' is a run of protocol V E , we 
again only need to verify condition 2(a) for edge efc, which is vacuously 
true because S ek £ X ek due to condition 4 of Definition [l2j 

2(b) By the definition of f, for each edge b £ B\{e o,..., e*,}, and each vertex 
u £ Inc(b), we have = nl b u . Thus, f on any such edge satisfies condition 
2(b) of Definition 11 because run r' does and /z > 0. 

We next show that condition 2(b) is satisfied for each e, such that e, £ B 
and 0 < i < k. Indeed, consider any u £ Inc(ei) and suppose that f Bi < 0. 


If u = Vi, then, since A > 0 and /lx > 0, from equation (21), we have 


fei fei 

= £1* = — - A < — < 0. 


Thus, U ei V ee c" ^ £ X ei because run r' satisfies condition 2(b) of Def¬ 
inition m 

If u = Vi+\ and i < k, then condition 2(b) is satisfied due to condition 3 
of Definition [l2j 

Finally, if i = k and u = Vk+ i, then f^ = /d^ by the definition of r. 
Thus, condition 2(b) is satisfied by run r because it is satisfied by run r' 
and since /.i > 0. 


2(c) By the definition of r, for each edge b £ B \ {eo,..., efc}, and each vertex 
u £ Inc(b), we have f b = /il b u . Thus, f on any such edge satisfies condition 
2(c) of Definition 11 because run r' does and /x > 0. 


We will next show that condition 2(c) is satisfied for each such that 
&i £ B and 0 < i < k. Indeed, note that A > \f-% i \ due to the choice of 

A. Thus 

fZ; +1 = M^: +1 - A) < 0. 

Finally, note that when i = k , we have S ek £ X ek . Therefore, condition 
2(c) is vacuously true. 


3(a) Due to Claim 10 and the assumption that r' is a run of protocol V^, we 
again only need to verify condition 3(a) for edge efc. By condition 4 of 
Definition 12 S ek £ X Bk . Thus, as we have shown in the case 1(c) above, 


/, 


e k , f 

Vk 1 J1 


efc 

■Ufc+i 


> 0. Therefore, condition 3(a) is vacuously true for edge efc. 


3(b) Due to Claim 10 and the assumption that r' is a run of protocol V° E , we 


once more only need to verify condition 3(b) for edge efc. By condition 
4 of Definition 12 6 ek £ X ek . Thus, condition 3(b) is vacuously true for 
edge e fe . 
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The local conditions (see page 20) are satisfied by tuple r at each vertex u £ V 
because they are satisfied by run r' and due to Claim 11 combined with the fact 
that p > 0. 

To show that r =h r , first note that Y h = M D $(Sig, {/?.}) = X h . Then, 
observe that 

ft. = /*«, + A) = jr + A) = C 

Finally, note that f£ o = — fjf and £% o = — because runs r and r' satisfy 
condition 2(a) of Definition [lT] Thus, 


A)= J ’ 


h 

VQ (Qh 


^ 0 +A v 


- A) = /ui "> h 


~^vi + A 1,1 


(C -A) = /„ h 1 . 


This concludes the proof of Theorem [3] 


7.4 Aggregated Protocol 


7.2 


that canonical protocol V° E has formula S as a parameter. 


Recall from Section 

In this section we introduce a construction that aggregates multiple canonical 
protocols. One can view a run of the aggregated protocol V as several runs of 
different canonical protocols for different values of parameter 5 being executed 
concurrently on different “levels”. Also recall that a value of an edge under a 
canonical protocol consists of a maximal consistent set of formulas and a pair 
of real numbers (flow values). Although there is no explicit connection between 
flow values on different levels for the same edge, we assume that maximal con¬ 
sistent sets are the same on all layers for a given edge of the aggregated protocol, 
see Definition [TH 


Definition 13 A value w e of an edge e £ E under the aggregated protocol V 
is a tuple {X,ff v ^y V £inc(e),5£A(Sig)') such that (-A, { fv^s }ue/nc(e)) is a value of 
edge e under protocol V S E for each S £ A (Sig). 


Valuation. Let ir be a function such that, for each e £ E and p £ P e , set p w 
contains all values (. X , {f v ,s}veinc(e),SeA(Sig)), where p £ X. 

Local Conditions. A tuple (X e , {ff }S } v einc(e),6£A(Sig))eGinc(u) satisfies the 
local conditions of protocol V at vertex u if for each 6 £ A (Sig), the tuple 
(. X e , { ff $} V £i n c( e )}e£inc(u) satisfies local conditions of protocol V E at vertex u. 
This concludes the definition of the aggregated protocol V. 

Theorem 4 If e£ E, ip £ <S>(Sig, {e}) ; and tuple 

r=(X h ,{f* s } uGlnc(h).SdAtSig) 1 } h£E 
is a run of protocol V , then r \\~ ip if and only if p £ X e . 


38 








Proof. We prove the theorem by induction on the structural complexity of for¬ 
mula p. If ip is a proposition p £ P e , then the required follows from Definition [7] 
and the definition of valuation function 7r for protocol V. The cases when p is 
constant _!_ or an implication p\ — > p 2 follow from Definition [7] and the maxi- 
mality and the consistency of set X e in the standard way. Now let p be of the 
form d e ip. 

(=>) : Suppose that A, V hge the conjunctive normal form of ~<ip such that 
ip l h £ {h}) for each h € E. Thus, the following statement can be proven 

using just the axioms of the propositional logic in language $(Sig) 

7 A V (22) 

i h£E 


Assume that n e tp £ X e . To prove that r lb □ e ip, it suffices to show that there 
is a run f of the canonical protocol Ve such that r = e r and fib A?; \/i lf z E AA 
The assumption D e ip £ X e and the maximality of set X e imply that X e Y 
U e ip. Thus, X e Y ip by Lemma [4] Hence, set X e U {-■ ip } is consistent. Let M 
be any maximal consistent extension of X e U {“'V'}- By Theorem [3j for each 
S £ A (Sig) there is a run r$ = ( X h , {f£ s } U £inc(h))heE of the canonical protocol 
V E such that f = e r and X h = M D $(Sig, {/i}) for each h £ E. Define tuple f 
to be u<Einc(h),6£A(Sig)}h£E • By the definition of protocol V, tuple f 

is a run of V. 

We next show that f lb /\- \J heE tp l h - Suppose the opposite, then there is 
*o such that f lb V h&E^h- Thus, f lb ip l /p for each h £ E. Hence, by the 
induction hypothesis, iph £ X h for each h £ E. Recall that iph £ ®(Sig,{h}) 


and X h is a maximal consistent subset of $>(Sig, {h}) for each h £ E. Thus, 




£ X h C M for each h £ E. Hence, f\ hGE ^I’h e Tf due to maximality 


of the set M. Then, Ml-V 


heE 




\h£E Vh 

Hence, Ml- 1 [\ l \J heE ip l h . Therefore, 


M b ip, by statement (22). The latter contradicts the choice of set M being a 
maximal consistent extension of set X e U {~>ip}. 

(<=) : Suppose that U e ip £ X e . We will show that r lb U e ip. Consider any run 
r = (X h ,{% s } ueinc(h),6eA(Sig))heE of the aggregated protocol V such that 
r — e r. It suffices to prove that fib ip. 

Let A i \/heE V ’h Le a conjunctive normal form of ip such that ip l h £ <&(Sig, {h}) 
for each h £ E. Then, for each i. the following statement can be proven using 
just the axioms of the propositional logic in language >1 '(Sig) 


b ip~>\/ i>h- 

heE 


By Necessitation inference rule 


bn e \/ 

\ h&E 
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By Distributivity axiom and Modus Ponens inference rule, 


b DeV* ■ 


□ < 


V ^h- 


h£E 


Note that X e = X e due to the assumption r = e r. 
heE^h e Bet ^ denote the formula \J h£E ^. Recall that r is 


Thus, for each i, we have m e \/ heE £ X e due to the assumption D e tp £ X 
and the maximality of set X e 
Hence, U e \J h&E ip l h £ X 
a run of protocol V. Hence, by the definition of the aggregated protocol, tuple 
(. X h , {f^^} u einc(h))hGE is a run of protocol V E , and so, by Lemma 12 it is a 

run of protocol 'Pj e y ■ Then, by Theorem jlj there is an edge ho £ E such that 
if l ho £ X h °. Thus, by the induction hypothesis, r lb ip l h() . Hence, r lb \Z hGE 'f ,x h 
for each i. Then, r lb A iMheE^h- Therefore, f lb if. HI 


Theorem 5 (completeness) For any signature Sig and any formula ip £ 
Q(Sig), ifF ip, then there exists a protocol V over Sig and a run r of V such 
that r lb ip. 

Proof. Suppose that b ip. Let M be a maximal consistent subset of <f '(Sig) 
containing the formula —up. Assume that f\ { \J eg£ , ip z e is the conjunctive normal 
form of the formula -up such that ip\ £ ${Sig, {e}) for each i and each e £ E. 
Since -up £ M, for each i there exists e* £ E such that ip l e . £ M. By Theo¬ 
rem^ for each S £ A(Sig), there exists a run r s = (X h , {fu} u einc(h))h£E of 
the canonical protocol V E such that X h = MC\$(Sig, {/i}) for all h £ E. Thus, 
ifi. £ x ei for each i. Consider tuple r = {X h , {f^ s } ue i nc (h),5eA(Sig))heE- By 
the definition of the aggregated protocol, tuple r is a run of protocol V. Hence, 
r b (pi . for each i, by Theorem |4] Therefore, r lb f\ i \J eeE ipl and so r II— 'F- ^ 


8 Conclusion 

In this article we have developed a formal modal logical framework for reason¬ 
ing about information flow in communication networks with a fixed topological 
structure. Our main results are the soundness and the completeness of this logi¬ 
cal system. At the core of the proof of the completeness is a well-known network 
flow protocol. A natural possible extension of this work is to develop a similar 
system for directed graphs that represent networks with one-way communica¬ 
tion channels. Another possible extension is a distributed knowledge system 
with a modality □ a in which the statement OaF is interpreted as “any agent 
that eavesdrops on all channels in set A knows that ip is true”. 

Another possible direction for the future work is to develop logical frame¬ 
works for reasoning about information flow in more specialized settings. An 
example of such a setting is the influence flow in social networks. The in¬ 
fluence in social networks is usually modeled by a relatively simple and very 
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specific form of “local conditions” such as those in commonly used threshold 
model na na m ns na on. A logical framework for such a setting is likely 
to include more powerful version of Gateway axiom. The canonical network 
construction for the proof of the completeness presented in this article is very 
unlikely to be adoptable to a much more restricted interpretation of local con¬ 
ditions found in social network. 
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